Tag Archives: Risk

HUD Inspector General Warns Over 1 Billion Personally Identifiable (PI) Records At Risk



“The management alert bulletin, issued Jan. 13 by HUD’s Office of Inspector General, warns that “HUD is unable to identify, categorize, and adequately secure all of its electronic and paper records that contain personally identifiable information.”


“The Department of Housing and Urban Development is failing to safeguard and manage more than 1 billion records containing personally identifiable information, according to a management alert from the agency’s internal watchdog.

An accompanying memorandum, circulated to HUD officials in December, points to several risk factors. HUD maintains legacy systems that lack basic electronic transaction processing capabilities, which in turn leads to a reliance on paper processing. A survey of HUD officials found that many in the agency are concerned about the volume of paper records held by the agency — including mortgage binders with personal and financial information.

The December memorandum indicated that a formal report was forthcoming but that in the course of the assessment, OIG personnel “encountered specific records management and privacy issues that pose a serious threat to sensitive information that we believed important to raise now rather than wait for the conclusion of our broader evaluation.”

The OIG probe also found that HUD lacks an complete records inventory and that eight of 25 offices surveyed had an inventory of electronic records with personally identifiable information. What’s more, HUD systems don’t allow for any kind of enterprisewide search to locate sensitive information. The agency also is lagging behind in governmentwide efforts to convert from paper to electronic records and in implementing a data classification process to identify and tag controlled unclassified information.

“As a federal agency housing such an extensive amount of sensitive data, HUD must prioritize its capability to properly identify and protect this information,” the OIG alert states. “Failure to do so places both the agency and private citizens at risk.”

The alert comes as some in Congress are concerned that HUD is leveraging facial recognition software to provide security in facilities subsidized by the agency. A group of Democratic lawmakers from the House and Senate asked HUD Secretary Ben Carson in a Dec. 18 letter about the use of such technology in federal subsidized housing, including rules about biometric data collection and retention.”


Homeland Security Must Manage Risk – Not Events




“The department’s mitigation programs, relationships with states and localities, and emerging analytic capability make it the ideal hub for a risk management mission.

The DHS isn’t doing its job because it doesn’t know what its job is.

Rather than combating terrorism, the department should refocus its mission around combating risks of all kinds.

It was created as a mishmash of 22 disparate agencies in the rush to respond to the Sept. 11 attacks. Congress and the president created the department with the explicit mission of preventing terrorism, but they included unrelated agencies that needed a home, while other important terrorism- or disaster-related agencies were left out.

Today, the department’s management spends much of its precious time responding to the headline of the day across multiple missions of protecting the border, preparing for natural disasters, and managing airport screeners. Its frontline employees don’t fare any better — the agency routinely tops the list of worst places to work in government. Fortunately, the department can do better. Public administration scholars have found that one of the best ways to improve job satisfaction is to make missions and goals more clear and less ambiguous.

Fixing the department requires jettisoning the holding company model and leaving the job of curbing terrorist threats to the Department of Justice, which houses the FBI. Without terrorism at the center, the agency can refocus on assessing and reducing an array of risks for natural and technological disasters. For any particular threat, such as terrorism or hurricanes, risk is a function of the probability of the threat multiplied by the potential consequences.  That sounds simple enough, but if done correctly it could transform how we prepare for disasters and make the country safer.

Right now, the DHS manages siloed programs to prepare for many different kinds of threats. But it is difficult to prioritize investments across different threats over time. A reformed department would compare the risks posed by hurricanes, forest fires, tornadoes, radiological “dirty bombs,” and cyber attack. Some defenses, such as concrete barriers, can reduce the damage caused by both floods and terrorism. The department could also assess risks over time. Investing in mitigation, or reducing the damage caused by disasters before they happen, is cheaper than coming to the rescue after a disaster. A report from the Multihazard Mitigation Council found that mitigation saves society an average of $4 saved for every $1 spent. It is difficult to convince politicians and department leaders to spend  money on mitigation, however, because they cannot easily take credit for helping to prevent a disaster that never happened, or that might not happen on their watch.

The DHS’ disaster management arm, FEMA, already offers grants to states and localities to build mitigation programs. But these programs are modest, and FEMA employees make up less than two percent of the department. Extending the mission of FEMA’s modest mitigation directorate would reorient the department around illustrating what risks society faces and what investments would reduce them. There is much work to be done. Convincing cash-strapped jurisdictions to spend money on mitigation requires evidence that the cost is worth it.

Some department officials say that they are already doing risk management. When compared with the careful forecasts of the National Oceanic and Atmospheric Administration or the exhaustive reports of the General Accountability Office, however, DHS products come up short. Building on analytic capacity from other agencies and the privacy sector could make the DHS the government face for information about risk.

For all the complaints that cities make about the department, the DHS has closer ties to cities and states than do most of the expert science agencies in the federal government. DHS border agents work closely with state and local police, and FEMA operates grant programs with every state and many counties. The department’s connections to the street level could be significantly enhanced with a sharper focus on risk management that leverages these existing relationships.

A reinvigorated DHS would leave chasing terrorists to better equipped agencies, jettisoning the ostensible reason for the department’s creation. Its new and expanded mission of assessing, illustrating, and reducing risks of disasters of all kinds is better suited for the 21st century. The world may not be more dangerous than it was in the last century, but it is more complex.”


Managing the unseen threats to your enterprise



Image: fr.nec.com


“Who owns risk management, as a function, in a company?

Clearly risk management spans across company functions and boundaries.

Risk management, the proactive anticipation and management of identified risk, has been long established in the financial and insurance industries.

In the federal market, risk management has become commonly associated with IT security and especially the Federal Risk and Management Program (FedRAMP).  However, risk is an issue that extends far beyond IT and permeates all organizations.

Risk management has four overarching pillars:

  • Strategic – vision, political threats and opportunities, diversification, management’s ability to perceive/anticipate market and industry influencers, company adaptability, ethics, strategic metrics, degree of risk tolerance, and crisis management plan
  • Financial – having adequate funds to perform, stable source(s) of funding, accurate reporting, and routine and surprise audits
  • Operations – policies, processes, performance, compliance, tactical metrics, and quality
  • Technological – having the right platforms and tools for the work to be performed, technology competence, IT security, and innovativeness.

How might a company proactively manage its risk?  Should risk management, as a function, be owned by an executive, one department, all managers, all employees or ultimately the Board?

Risk Management and its mitigation are too broad in scope for one person to manage it. The simple answer is that everyone owns risk management.  However, when everyone is an owner, it is owned by no one.

Traditionally, boards of directors or advisors have three primary responsibilities or areas of concern: (1) ensuring the accuracy and integrity of the company’s financials and concomitant reporting, (2) ensuring a commitment to ethical conduct across the company, and (3) validating the company’s strategic vision and plan for the future i.e. future viability. Normally boards do not have insight into operations or tactics that create risks for the company until there is an evident negative outcome.

When negative consequences or publicity arise, a company’s reputation, brand, and business model can put at grave risk. The company may or not have the time and resources to recover. With senior management being increasingly pulled into routine operational or financial issues, they may neither have the time nor perceive the company’s myriad sources of risk.

Boards should lead an ongoing discussion concerning how the company identifies, assesses, monitors, manages and reports the kinds of risks the company may encounter and their mitigation.”


Bob Davis 300

Bob Davis

About the Author

Robert Davis is president of Robert Davis & Associates. he has over 35-years’ experience in the federal IT industry and has held senior positions with products- and services-oriented technology companies during his career, including marketing, market development, capture and program management, and business development. Robert Davis & Associates is a marketing consulting firm that supports medium-size and small businesses in the B2G industry.